Header Right

Main navigation

Shellshock

On September 24, a security researcher disclosed a vulnerability in bash, also referred to as CVE-2014-6271 or Shellshock. Bash is widely used, and the vulnerability is not a Barracuda-specific issue but rather one that impacts any system that uses bash. This vulnerability allows hackers to easily insert malicious code into web servers and other hosts to carry out attacks and steal data.

Once the vulnerability became public, our security team immediately developed security definitions that were rolled out to all Barracuda customers though our automated Energize Updates from Barracuda Central. The vulnerability has been mitigated for all appliances with an active Energize Updates subscription on the current hardware platform. You can read about those updates here.

As the rate of security attacks continues to increase in both sophistication and frequency, our customers can be assured that Barracuda provides quick resolution to threats as they appear. As always, we recommend that customers enable automatic attack definition updates, particularly in the event of such a widespread attack, and keep their systems up to date with the latest firmware releases.

This post is designed to help you configure your Barracuda Web Application Firewall to protect your systems from Shellshock. If you are not familiar with this vulnerability, see this post.

The Barracuda Web Application Firewall has generic signatures that mitigate the Shellshock vulnerability. These signatures are in the OS Command Injection Strict rule set. By default, this is not applied to header values, however. Barracuda has created a new attack definition update that will update the OS Command Injection rule set to have specific signatures to protect against this attack.

If you have not updated the bash shell across your web servers, or have reason to believe that you are affected, we strongly recommend updating to the latest attack definitions. Note that attack definitions are automatically updated by default, unless you have explicitly turned this OFF.

We have released Attack Definitions (attackdef) version 1.78 which contains enhancement to our OS Command Injection pattern group to catch the attack vectors in the exploits for CVE-2014-6271 and CVE-2014-7169.

You can view your attackdef verion on the ADVANCED > Energize Updates page.

On September 24, a security researcher disclosed a vulnerability in bash dubbed Shellshock. Bash is widely used, and the vulnerability is not a Barracuda-specific issue but rather one that impacts any system that uses bash. This vulnerability allows hackers to easily insert malicious code into web servers to carry out attacks and steal data.

The Barracuda security team is aware of this report and is evaluating which, if any, Barracuda products are affected by this Linux vulnerability. To address the vulnerability, we released secdef 2.1.14182, which was rolled out through our automatic update mechanism to all customers with an active Energize Updates subscription. As always, we recommend that customers enable automatic attack definition updates, and keep their systems up to date with the latest Firmware release.

We will update this blog post with more information as it becomes available. If you have any questions about this vulnerability, please contact our support team at 888-268-4772.

Register here for a complimentary webinar to learn more about the Shellshock vulnerability and how the Barracuda Web Application Firewall can be used to stop this attack. Webinar: Friday, September 26, 10am PDT.

For a risk-free 30-day evaluation of the Barracuda Web Application Firewall, click here.

Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.